Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 for 32-bit Windows users

Discussion in 'other security issues & news' started by stapp, Sep 18, 2017.

  1. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    Guess this is FUD (not from you @itman ). It's just one comment so far from that poster called Stribs. OTOH I agree to turn the red lights on if we could see many more comments on the web. Maybe I'm wrong.
     
  2. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Isn't the problem that no matter what an infected person has done to subsequently rectify this e.g. clean install, 'they' already have your data in stage 1 attack?

    The horse has bolted. No backdoor necessary now.
     
  3. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    I agree. Person could get their system compromised on many ways and then think that they got infected by compromised CCleaner binary. If there was widespread infection going on, we would probably know about it by now.
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I once again have to disagree. Obviously, when a browser is infected you can't block it from outbound access, and there is also no easy way of knowing which connections are suspicious. But you can still restrict the hell out of it, this means block it from getting access to private folders, block child process execution, and block it from injecting code into other processes, for example.
     
  5. alawyer

    alawyer Registered Member

    Joined:
    May 17, 2017
    Posts:
    35
    Location:
    the final frontier
    Would be good if possible if firewalls only allowed such applications if allowed internet access to the approved ip addresses ie in this case cc servers.

    Norton appears to have added this in some shape to it's av. Couldn't test it as it was struggling to install on my pc. Others may have had better luck?
     
  6. alawyer

    alawyer Registered Member

    Joined:
    May 17, 2017
    Posts:
    35
    Location:
    the final frontier
    Best advice I think itman reiterated or gave was clean wipe and fresh install. Or go to a much earlier image.
     
  7. alawyer

    alawyer Registered Member

    Joined:
    May 17, 2017
    Posts:
    35
    Location:
    the final frontier
    As to Cisco AMP frankly they need to allow small businesses to purchase the fee AMP software without having to purchase equipment from them.
     
  8. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Most third party firewalls included in AV Internet suites have an outbound monitoring option. "The rub" so to speak is you must know what are and are not valid IP address for the app update servers. Also it is not unusual for apps to use third party servers like Akamai for updating. Bottom line - this concept is "easier said than done" in actual practice.

    For corps, SOP is to run all app updates on a test rig and monitor functionality and behavior for an extended period of time prior to rolling out the update to all network endpoints. Note that in the CCleaner episode, the backdoor C&C connection occurred one hour after infected update download I believe.
     
  9. The Count

    The Count Registered Member

    Joined:
    Jun 13, 2016
    Posts:
    177
    Location:
    France
    I have an older computer with CC Cleaner, I haven't updated since first install 4 years - I'm good?
     
  10. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    Yes, you are OK.
     
  11. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    4,638
    Avast blog on 17 April 2018 :
    "Recent findings from CCleaner APT investigation reveal that attackers entered the Piriform network via TeamViewer"
    https://blog.avast.com/update-ccleaner-attackers-entered-via-teamviewer

     
    Last edited: Apr 18, 2018
  12. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yup, this attack could have been disastrous, luckily they were not interested in home user PC's. And some people seem to forget that they could have executed any malware that they wanted to, think of ransomware. In fact, the Trojan that was included could have also performed keylogging, but the goal was to get the more advanced ShadowPad keylogger on the system in order to perform industrial espionage.
     
  13. JohnBurns

    JohnBurns Registered Member

    Joined:
    Jul 4, 2004
    Posts:
    778
    Location:
    Oklahoma City
    I have continued to use CCleaner even after the September, 2017 scare....no problems whatever. I use EEK and MTR OnDemand scans and have Windows Defender and MBAM Resident Scans daily. Also maintain daily backups with Reflect and weekly backups with AOMEI. Have updated Fall Update and Spring Update with no problems, so I am keeping CCleaner at least for now. I know some think it is risky, but then I believe some other programs may be risky also, so am doing what works for me.
     
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    This type of attack could happen to any company. Probably the best way to deal with it is to simply block most apps from connecting out, this also means that you should stop relying on auto-update functions. I rather manually download updates and use a third party update-checker.
     
  15. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    3,344
    Location:
    Europe, UE citizen
    I always used manual update for most part of my programs. Anyway, I 'm using yet Ccleaner 5.30 version: I didn't see important improvements in latter versions.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.